A mailbox folder is accessed. Note: MS says "Entries for folder bind actions performed by delegates are consolidated. One log entry is generated for individual folder access within a time span of three hours." The time span is now 24 hours in Exchange 2016, 2019 and Online.

Another user was granted permissions to manager another users calendar.

•

n/a

•

UpdateFolderPermissions****

Permissions to access another users folder and the messages in that folder have changed.

•

•

•

UpdateInboxRules***

An inbox rule has been created, deleted or modified.

•

•

•

* Does not apply to Exchange 2016, Exchange 2019 and Exchange Online.
** Does not apply to Exchange 2013.
*** Exchange Online only.
**** Exchange Online only. We have not been able to reproduce this action but have been able to reproduce "AddFolderPermissions" and "RemoveFolderPermissions". We believe that the later two have replaced the "UpdateFolderPermissions" action.

Exchange allows you to set audit policy differently depending on 3 different logon
types when accessing a mailbox:

-AuditDelegate - this specifies the action to be audited by normal users who've
been given access to this mailbox and most actions by administrators.

-AuditAdmin - most actions by administrators are audited by -AuditDelegate, not by this
setting, but some actions, when performed a certain way, result in the logon type
being considered an Admin and are only audited if enabled by this setting. To be safe,
configure this setting to match -AuditDelegate.

In the example below we are enabling auditing on John's mailbox and configuring
it to audit any delegate who sends email as John, or view his mailbox.

You can also suppress “noise events” that are triggered by automated processes such
as virus scanners. To do so, disable mailbox auditing globally for specified application
accounts by using the
Set-MailboxAuditBypassAssociation
cmdlet.